Method and apparatus for generating a key stream

ABSTRACT

A method of generating a key stream for a precomputed state information table. The method comprises initialising a counter and an accumulator with non-zero values; combining state information identified by the counter with the accumulator; swapping state information identified by the counter with state information identified by the accumulator; combining the two pieces of state information; outputting the state information identified by the combination as a byte of the key stream; adding a predetermined number odd number to the counter; and repeating the above steps to produce each byte of the key stream.

This application is a continuation of U.S. patent application Ser. No.10/348,756 filed on Jan. 23, 2003 which claims priority from U.S.Provisional Application No. 60/350,017 filed on Jan. 23, 2002 and U.S.Provisional Application No. 60/350,380 filed on Jan. 24, 2002, all ofwhich are hereby incorporated by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to generating a key stream.

2. Description of the Prior Art

Early multimedia broadcasts consisted of radio or television programssent over the air waves. Anyone with a tuner could access the broadcast.Premium services impose access controls by such means as scrambling thesignals. Content providers control access to the descramblers.

There are many types of multimedia transmissions including radio,television, sound, video, and animations. This may be sent over landlines or over wireless channels, over long or short distances, or eventhrough satellite transmission, or through a combination of channels.

When multimedia contact is broadcast, it is often desired to preventunauthorized parties from reading the content. This may be accomplishedby encrypting the content using a stream cipher. A secret key is used inthe encryption and must be shared with the desired recipients of thecontent.

A commonly used stream cipher which may be used for multimediabroadcasts is known by the trade name RC4. However, this stream cipherhas been shown to have certain weaknesses, which may be exploited. Theseinclude the invariance weakness, and some leakage of keying material.

Therefore it is an object of the present invention to obviate ormitigate the above disadvantages.

SUMMARY OF THE INVENTION

According to one aspect of the present invention, there is provided amethod of generating a key stream from a precomputed state informationtable. The method comprises initialising a counter and an accumulatorwith non-zero values; combining state information identified by thecounter to the accumulator; swapping state information identified by thecounter with state information identified by the accumulator; combiningthe two pieces of state information; outputting the state informationidentified by the combination as a byte of the key stream; adding apredetermined odd number to the counter; and repeating the above stepsto produce each byte of the key stream.

In another aspect of the present invention, there is provided a computerreadable medium containing instructions for a computer to generate a keystream from a precomputed state information table. The key streamgeneration comprises initialising a counter and an accumulator withnon-zero values; combining state information identified by the counterwith the accumulator; swapping state information identified by thecounter with state information identified by the accumulator; combiningthe two pieces of state information; outputting the state informationidentified by the combination as a byte of the key stream; combining apredetermined odd number with the counter; and repeating the above stepsto produce each byte of the key stream.

A further aspect of the present invention, there is provided in a streamcipher, a method of generating a key stream from state informationderived from a secret key. The improvement comprises initialisingregisters to non-zero values; and incrementing a counter with apredetermined odd number greater than 1.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features of the preferred embodiments of the inventionwill become more apparent in the following detailed description in whichreference is made to the appended drawings wherein:

FIG. 1 is a schematic representation of communication system.

FIG. 2 is a schematic representation of the encryption used in FIG. 1.

FIG. 3 is a schematic representation of a circuit used in the key streamgenerator of FIG. 1.

FIG. 4 is a flow chart showing steps performed by the circuit of FIG. 3.

FIG. 5 is schematic representation of a component of a key streamgenerator of FIG. 1.

FIG. 6 is a flowchart showing the method of FIG. 5.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring to FIG. 1, a communication system 10 includes a pair ofcorrespondents 12, 14. A communication channel 16 allows thecorrespondents to communicate with each other. The correspondents 12, 14share a secret key 20 through a secure channel prior to initiatingcommunications. Each correspondent has a key stream generator 22, 24,each connected to a respective XOR gate 23, 25. The correspondent 12wishes to send content 26 through the communication channel 16 to thecorrespondent 14, where the content 28 may be recovered and viewed. Thekey stream generators 22, 24 each use the common secret key 20 to derivea common key stream. The common key stream is used by the correspondent12 to encrypt the content 26 into an encrypted signal, and by thecorrespondent 14 to decrypt the encrypted signal and obtain the content28. The encrypted signal is transmitted over the communication channel16. The content 26 is a stream of data nationally divided into bytes.

Referring to FIG. 2, the nature of the encryption permormed by thecorrespondents 12, 14 is shown in more detail. The encryption operateson each byte of the content 26 in turn. Each byte of the content isencrypted with a corresponding byte of the key stream 22. The bytes ofthe content and the key stream are operated on by an XOR gate 23, whichcombines them to obtain the corresponding byte of the output cipher text32. The XOR gate 23 implements a bitwise exclusive-or operation meaningone or the other but not both.

Referring to FIG. 3, initialization of the key stream generator is showngenerally as numeral 40. The key stream generator includes a counter i(42), state information table S (44), a swap mechanism 46, and anaccumulator j (48). The state information table S comprises 256 tableentries addressed by the numbers 0 to 255, each of which may have avalue from 2 to 255. Notationally, S [10] refers to the 10^(th) entry inthe table for example. Initially, each table entry has the same value,as its position, i.e. 0 is in position 0, 1 is in position 1, etc thatis, S[i]=I for each from 0 to 255. The key stream further includesregisters a (50) and b (52). The key stream generator takes as input thekey 20. The counter i (42) designates both a position (address) in thetable of state information 44 and a corresponding byte in the key 20.The designated table entry and byte of the key are connected to theaccumulator j (48) which adds the values mod 256 and stores the resultin the accumulator 48. The result in the accumulator 48 designates theaddress (position) of the entry in the table of the state information S.The swap mechanism 46 connects the table entries in the positionsindicated by the counter i and the accumulator j in order to exchangetheir contents. The registers 50 and 52 operate to add the entries inthe state information table designated by i and j to their respectivecontents a and b.

Referring to FIG. 4, the steps performed by the circuit of FIG. 3 areshown generally by the numeral 60. The counter i is first set to 0 (62).Then, the table entry of the state information designated by the numberi (that is S[i]) is added to the accumulator I (64). The byte inposition i of the key 20 (that is K[i]) is also added to j (66). Thetable entries in positions i and j in the state information table (S [i]and S[j]) are then added to respective ones of the registers a and b(70), then the table entries in positions i and j (S[i] and S[j])areexchanged (68). The counter i is incremented (72) by 1. Then, if thecounter i is less than 256 (74), the process repeats at step 64. Thiscontinues until a total of 256 iterations have been performed. At thistime, the entries of the state information table 44 are randomlydistributed, due to the random nature of the key within register 20.This mixing is performed prior to transmission over the channel 16. Thecontents of registers 50, 52 similarly contain a pair of values,accumulated mod 256 in a random manner. The contents of the stateinformation table 44 and the registers 50, 52 are then used to generatea key stream.

Referring to FIG. 5, the circuit of the key stream generator used toproduce the key stream is shown generally as numeral 80 and uses thecomponents described above, as well as an adding circuit 84 and an oddnumber c. The counter i (42) selects an entry (S[i]) of the stateinformation table S 44, which is in turn connected to the accumulator j(48) for addition thereto. The result stored in the accumulator 48 againdesignates a table entry of state information 44. The swap mechanism 46operates to exchange the table entries designated by counter i andaccumulator j. The adding circuit 84 is connected to the table entriesdesignated by i and j (namely S[i] and S[j]) to add them together, andto determine the cell designated thereby. The contents of this cell 86is output as a byte of the key stream. Registers 50 and 52 are connectedto the counter i and the accumulator j respectively to initialise theregisters 42, 48 with the values a, b.

Referring to FIG. 6, the steps performed by the circuit of FIG. 5 areshown generally as numeral 100. The counter i is set to the value a(102) and the accumulator j is set to the value b (102). Then, the tableentry in position i in the state information table (S [j]) is added tothe accumulator j (104). The table entries in positions i and j in thestate information table are then exchanged (106). The adding mechanism84 then computes the value t equal to the sum of the table entries inthe positions i and j in the state information table (108). The contentsof cell designated t (S[t]) are then output for use as a key stream(110). Then, the value c is added to i (112) and the process repeatswith step 104.

It will be recognized that with the provision of the values a and b inthe generation of the key stream, there is less predictability than whenthese values are initially set to 0. Further, the use of a constantvalue c provides further unpredictability in the order of the swapsperformed. The constant value c may be publicly known, and may bederived from a session identifier or an SID. A particularly convenientvalue to use for c is the bit-wise OR of SID with 1, which is thesmallest odd integer larger than or equal to SID.

It will be recognized that the use of 256 positions in the table S ismerely for convenience and compatibility with existing protocols. It ispossible to use any value n in place of the 256, with appropriatechanges to the modular arithmetic, and the initial entries in the stateinformation table. The key stream will then be made up of larger blocks,and accordingly the content would be regarded as larger units as will beunderstood by one skilled in the art. It will further be understood thatthe value c should be suitably chosen, and typically will be relativelyprime to the modulus n.

For efficiency reasons, the constant c that is used in the key stream agenerator should be easy to compute from publicly known information andthe key K. For security reasons, one should require that gcd(c,n)=1,since the security can be expected to decrease if c and n have anontrivial common factor. The ‘optima’ value of this constant depends onwhether or not the keys used with the stream-cipher are correlated and,if so, how.

The embodiment above describes one possible method for computing theinitialization value (a,b) used in the key stream generator. There aremany options for specifying this initial value; this choice seemed to bethe most efficient one. From a security perspective, the mainrequirement is that the initialization values (a,b) should beunpredictable and uncorrelated if one does not have access to the keysused. In addition, it should be noted that the main attack proposedagainst RC4 does not seem to work any more, once one takes the initialvalue (a,b) of the counter pair such that a is sufficiently big.

It may be seen that the circuit of the above embodiment may be madeinteroperable with RC4 if one takes c=1 and forces (a,b):=(0,0). Furtherinteroperability may be achieved if one takes as key the stringKey:=(K)_(N), where K is the key used with the actual stream-cipher RC4.

It is possible to generalize the stream cipher of the above embodimenteven further, e.g., by making the actions of the key stream generatordependent on the key K as well.

Although the invention has been described with reference to certainspecific embodiments, various modifications thereof will be apparent tothose skilled in the art without departing from the spirit and scope ofthe invention as outlined in the claims appended hereto.

1. A method of generating a key stream, the method being performed by acorrespondent in a communication system, the correspondent including acounter, an accumulator, and a table having state information storedtherein, the method comprising: a) said correspondent using the counter,the accumulator, and the state information to generate a pair ofnon-zero values; b) said correspondent initializing the counter with afirst of the pair of non-zero values and said correspondent initializingthe accumulator with a second of the pair of non-zero values; c) saidcorrespondent obtaining a constant odd value, c, greater than 1; d) saidcorrespondent combining with a current value for the accumulator stateinformation identified by a current value for the counter to obtain anext value for the accumulator; e) said correspondent swapping saidstate information identified by the current value for the counter withstate information identified by said next value for the accumulator; f)said correspondent combining the state information swapped in step d) togenerate a combined value; g) said correspondent outputting stateinformation identified by the combined value as a byte of the keystream; and h) said correspondent combining said odd value c with thecurrent value for the counter to generate a next value for said counter;wherein said correspondent repeats steps d) to h) to produce each byteof the key stream.
 2. The method according to claim 1 whereincomputations are performed modulo a number n.
 3. The method according toclaim 2, wherein said odd value c is prime relative to n.
 4. The methodaccording to claim 2, wherein said combining in steps d, f, and h areadditions modulo n.
 5. The method according to claim 1 wherein said oddvalue c is derived from a publicly available session identifier.
 6. Themethod according to claim 1 wherein the correspondent has access tosecret key information and wherein step a) comprises: i. saidcorrespondent initializing said counter; ii. said correspondentcombining with a value of the accumulator state information identifiedby a value of the counter and key information identified by the value ofthe counter to obtain another value of the accumulator; iii. saidcorrespondent combining state information identified by the value of thecounter with the first of the pair of non-zero values; iv. saidcorrespondent combining state information identified by said anothervalue of the accumulator with the second of the non-zero values; v. saidcorrespondent swapping the state information identified by the value ofthe counter with the state information identified by the another valueof the accumulator; and vi. said correspondent incrementing the counterto generate another value for the counter; wherein said correspondentrepeats steps ii to vi to generate said pair of non-zero values.
 7. Acorrespondent having a key stream generator for generating a key stream,the key stream generator comprising a counter, an accumulator, and atable having state information stored therein, said correspondent beingconfigured to perform steps comprising: a) said correspondent using thecounter, the accumulator, and the state information to generate a pairof non-zero values; b) said correspondent initializing the counter witha first of the pair of non-zero values and said correspondentinitializing the accumulator with a second of the pair of non-zerovalues; c) said correspondent obtaining a constant odd value, c, greaterthan 1; d) said correspondent combining with a current value for theaccumulator state information identified by a current value for thecounter to obtain a next value for the accumulator; e) saidcorrespondent swapping said state information identified by the currentvalue for the counter with state information identified by said nextvalue for the accumulator; f) said correspondent combining the stateinformation swapped in step d) to generate a combined value; g) saidcorrespondent outputting state information identified by the combinedvalue as a byte of the key stream; and h) said correspondent combiningsaid odd value c with the current value for the counter to generate anext value for said counter; wherein said correspondent is configured torepeat steps d) to h) to produce each byte of the key stream.
 8. Thecorrespondent according to claim 7 wherein the correspondent performscomputations modulo a number n.
 9. The correspondent according to claim8, wherein said odd value c is prime relative to n.
 10. Thecorrespondent according to claim 8, wherein said combining in steps d,f, and h are additions modulo n.
 11. The correspondent according toclaim 7 wherein said odd value c is derived from a publicly availablesession identifier.
 12. The correspondent according to claim 7 whereinthe correspondent has access to secret key information and wherein thecorrespondent is configured to perform step a) by performing stepscomprising: i. said correspondent initializing said counter; ii. saidcorrespondent combining with a value of the accumulator stateinformation identified by a value of the counter and key informationidentified by the value of the counter to obtain another value of theaccumulator; iii. said correspondent combining state informationidentified by the value of the counter with the first of the pair ofnon-zero values; iv. said correspondent combining state informationidentified by said another value of the accumulator with the second ofthe non-zero values; v. said correspondent swapping the stateinformation identified by the value of the counter with the stateinformation identified by the another value of the accumulator; and vi.said correspondent incrementing the counter to generate another valuefor the counter; wherein said correspondent is configured to repeatsteps ii to vi to generate said pair of non-zero values.
 13. A computerreadable medium having stored thereon computer readable instructions forperforming a method of generating a key stream in a correspondent, thecorrespondent including a counter, an accumulator, and a table havingstate information stored therein, the computer readable instructionscomprising instructions for: a) said correspondent using the counter,the accumulator, and the state information to generate a pair ofnon-zero values; b) said correspondent initializing the counter with afirst of the pair of non-zero values and said correspondent initializingthe accumulator with a second of the pair of non-zero values; c) saidcorrespondent obtaining a constant odd value, c, greater than 1; d) saidcorrespondent combining with a current value for the accumulator stateinformation identified by a current value for the counter to obtain anext value for the accumulator; e) said correspondent swapping saidstate information identified by the current value for the counter withstate information identified by said next value for the accumulator; f)said correspondent combining the state information swapped in step d) togenerate a combined value; g) said correspondent outputting stateinformation identified by the combined value as a byte of the keystream; and h) said correspondent combining said odd value c with thecurrent value for the counter to generate a next value for said counter;wherein said instructions further comprise instructions for saidcorrespondent repeating steps d) to h) to produce each byte of the keystream.
 14. The computer readable medium according to claim 13 whereincomputations in said instructions are performed modulo a number n. 15.The computer readable medium according to claim 14, wherein said oddvalue c is prime relative to n.
 16. The computer readable mediumaccording to claim 14, wherein said combining in steps d, f, and h areadditions modulo n.
 17. The computer readable medium according to claim13 wherein said odd value c is derived from a publicly available sessionidentifier.
 18. The computer readable medium according to claim 13wherein the correspondent has access to secret key information andwherein step a) comprises: i. said correspondent initializing saidcounter; ii. said correspondent combining with a value of theaccumulator state information identified by a value of the counter andkey information identified by the value of the counter to obtain anothervalue of the accumulator; iii. said correspondent combining stateinformation identified by the value of the counter with the first of thepair of non-zero values; iv. said correspondent combining stateinformation identified by said another value of the accumulator with thesecond of the non-zero values; v. said correspondent swapping the stateinformation identified by the value of the counter with the stateinformation identified by the another value of the accumulator; and vi.said correspondent incrementing the counter to generate another valuefor the counter; wherein said instructions further comprise instructionsfor said correspondent repeating steps ii to vi to generate said pair ofnon-zero values.
 19. A correspondent in a data communication systemcomprising: a) a counter; b) an accumulator; c) a table having stateinformation stored therein; d) means for using the counter, theaccumulator, and the state information to generate a pair of non-zerovalues and to initialize the counter with a first of the pair ofnon-zero values and to initialize the accumulator with a second of thepair of non-zero values; e) means for combining with a current value forthe accumulator state information identified by a current value for thecounter to obtain a next value for the accumulator; f) means forswapping said state information identified by the current value for thecounter with state information identified by said next value for theaccumulator; g) means for combining the state information identified bythe counter and the accumulator to generate a combined value; h) meansfor using state information identified by the combined value as a byteof a key stream; and i) means for combining a constant odd value, c,greater than 1, with the current value for the counter to generate anext value for said counter; wherein said correspondent is configured togenerate the key stream using elements a) to i).